Attackers can Abuse Remote Assistance App

Monday, March 26, 2018 @ 04:03 PM gHale

This is yet another lesson in patching when a patch becomes available because a vulnerability in Windows fixed early this month during Patch Tuesday can allow an attacker to pilfer sensitive files using the built-in Remote Assistance solution.

Remote Assistance, which comes by default in Windows, enables users to receive technical support by sending just an invitation file, which in turn allows an engineer to connect to their system by simply launching this file and without any other authentication methods.

While the process is fairly smooth and is can be very effective when it comes to receiving technical support, it turns out it leaves the door open to hackers who might want to extract data.

A flaw in the XML invitation file, discovered by Researcher Nabeel Ahmed, can end up leveraged to automatically look for a certain file after the connection is established and upload it to a pre-defined remote server.

Since the hacker has to alter the configuration data in the XML file and then convince the target to open the invitation, it means users are pretty much secure unless they launch files coming from sources they don’t trust. Hackers can only extract specific files they know exist on the target system, though this method can be used for logs and backups.

“To exploit this condition, an attacker would need to send a specially crafted Remote Assistance invitation file to a user. An attacker could then steal text files from known locations on the victim’s machine, under the context of the user, or alternatively, steal text information from URLs accessible to the victim,” Microsoft said in a post.

“The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action,” Microsoft researchers said.

The vulnerability was documented in CVE-2018-0878 and was reported to Microsoft in November last year. A patch was released in 2018, so up-to-date systems are protected against exploits aimed at this flaw.